Whether the foe is fire, data breach, or hardware defect, data centers must be protected against many hazards. A series of quality seals and certificates show exactly how compliant a given data center is with all the necessary security precautions. The following description is based on the example of the data center in St. Leon-Rot.SAP ensures that the same or equivalent certificates are valid at every data center where cloud solutions are run.

Data centers are sensitive entities that are exposed to hazards on many fronts. Imagine that all your data was suddenly lost because of a hardware malfunction. For most users and data center operators, this would represent a tremendous loss. For some, it would even spell their demise.

However, there’s no need to assume the worst right away. Location alone can make a data center secure or not. For example, a nearby stream could pose a risk of flooding. Unauthorized access could cause accidental or intentional damage. And equipment-related defects could result in failures and downtimes.

Germany’s Federal Office for Information Security (BSI) has listed various hazard categories in its manuals for basic IT security. Data centers would be well-advised to take the appropriate preventive measures for example against:

Force majeure, for example, flooding, fire, and lightning;

Organizational defects, such as sloppy or inadequate access rules for areas requiring security;

Technical failure, like a failure of the power supply or security equipment;

Deliberate acts, including, theft, unauthorized entry, or sabotage.

Certifications offer security

In the same way that cars in Germany require a TÜV inspection for roadworthiness at certain, pre-determined intervals, data centers should also have to demonstrate their operation-worthiness. Ultimately, this benefits both data center operators and users.

For example, data center operators would do well to understand that operating their technical equipment, associated systems, and data in a proper environment has a direct bearing on their economic existence. And users want to be able to count on the fact that their data is stored in a safe and protected manner. In particular, data centers that function as outsourcing service providers with responsibility for their customers’ data are obligated to maintain high security standards.

Certifications help to objectively identify and professionally evaluate security risks.

To do so, the security level of a given IT infrastructure is systematically examined using a variety of assessment criteria. If the data center passes the inspection, the operator is provided with a conformity document, usually in the form of a certificate, stating that it is operating its facility securely and reliably based on the latest technology.

Who certifies what

Behind every certification, there is an inspection of certain parameters or criteria. For example, an inspection might test power supply, availability, or regulatory compliance (such as with the German Digital Signature Act). The significance of any given certificate is only as strong as the requirements outlined by the certification or attestation organization and the institution that performs the inspection.

Besides evaluating data center security, cloud providers are also interested in protecting their software and operations. Once the security of these two realms is assured, then customers can entrust their needs and data to the service providers.

Many certification organizations perform their inspections in accordance with various standards. Multiple auditing firms conduct audits based on national and international standards, such as ISO 27001, SOC 1 /SSAE 16 and SOC 2. The SAP data center is also audited according to these standards. Once the audit is successfully passed, the data centers receive a certificate or attestation report verifying their compliance with the respective standard.

Summary

Security 02.03.

Certification for Security’s Sake

Data centers are sensitive entities that are exposed to hazards on many fronts. There are four potential hazards that pose a threat to data centers: force majeure, organizational defects, technical failures, and deliberate acts.

Besides the data center itself, the security of cloud software must also be checked. Using various evaluation criteria, this security level is systematically inspected in a certification audit. The certification process itself takes place according to a firmly established sequence.

Data center and cloud software certifications and attestations are performed by various organizations that conduct the audits. The most important standards and quality seals are ISO 22301, ISO 27001, SOC 1 / SSAE 16, and SOC 2.

ISO 27001

This standard specifies the requirements for establishing, implementing, maintaining as well as continually improving an information security management system. It is a risk-based approach which covers confidentiality, integrity and availability aspects of information that need to be managed. The SAP data center is a vital part of the annual internal and external surveillance audits.

SOC 1 / SSAE 16

The SSAE 16 or SOC 1 (Service Organization Controls) standards require a report on the controls at a service organization which are relevant to user entities’ internal control over financial reporting. The physical security perimeters of the SAP data center are therefore part of the bi-annual audits.

SOC 2

The SOC 2 standard comprises a service provider's controls relevant to a service recipient's financial reporting integrity, security, availability, processing integrity, confidentiality or privacy. The SAP data center is also in scope for these bi-annual audits

ISO 22301

Is a standard in the field of business continuity management (BCM) to ensure continued operation in case of critical situations. This standard sets the requirements for a business continuity management system to protect against business disruptions and ensure the organization is able to recover in the event of a disruption.